Add credential definition examples
[java-idp.git] / resources / conf / relying-party.xml
1 <?xml version="1.0" encoding="UTF-8"?>
2
3 <!--
4     This file specifies relying party dependent configurations for the IdP, for example, whether SAML assertions to a 
5     particular relying party should be signed.  It also includes metadata provider and credential definitions used 
6     when answering requests to a relying party.
7 -->
8
9 <RelyingPartyGroup xmlns="urn:mace:shibboleth:2.0:relying-party"
10                    xmlns:saml="urn:mace:shibboleth:2.0:relying-party:saml"
11                    xmlns:metadata="urn:mace:shibboleth:2.0:metadata"
12                    xmlns:security="urn:mace:shibboleth:2.0:security"
13                    xmlns:samlsec="urn:mace:shibboleth:2.0:security:saml"
14                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
15                    xsi:schemaLocation="urn:mace:shibboleth:2.0:relying-party classpath:/schema/shibboleth-2.0-relying-party.xsd
16                                        urn:mace:shibboleth:2.0:relying-party:saml classpath:/schema/shibboleth-2.0-relying-party-saml.xsd
17                                        urn:mace:shibboleth:2.0:metadata classpath:/schema/shibboleth-2.0-metadata.xsd
18                                        urn:mace:shibboleth:2.0:security classpath:/schema/shibboleth-2.0-security.xsd
19                                        urn:mace:shibboleth:2.0:security:saml classpath:/schema/shibboleth-2.0-security-policy-saml.xsd
20                                        urn:oasis:names:tc:SAML:2.0:metadata classpath:/schema/saml-schema-metadata-2.0.xsd">
21                                        
22     <!-- ========================================== -->
23     <!--      Relying Party Configurations          -->
24     <!-- ========================================== -->
25     <AnonymousRelyingParty provider="http://example.org/IdP" />
26     
27     <DefaultRelyingParty provider="http://example.org/IdP" />
28     
29     <RelyingParty id="urn:example.org"
30                   provider="http://idp.example.org">
31         <ProfileConfiguration xsi:type="saml:ShibbolethSSOProfile" />
32         <ProfileConfiguration xsi:type="saml:SAML1AttributeQueryProfile" />
33         <ProfileConfiguration xsi:type="saml:SAML1ArtifactResolutionProfile" />
34         <ProfileConfiguration xsi:type="saml:SAML2SSOProfile" />
35         <ProfileConfiguration xsi:type="saml:SAML2AttributeQueryProfile" />
36         <ProfileConfiguration xsi:type="saml:SAML2ArtifactResolutionProfile" />
37     </RelyingParty>
38     
39     
40     <!-- ========================================== -->
41     <!--      Metadata Configuration                -->
42     <!-- ========================================== -->
43
44     <!-- MetadataProvider reading metadata from a URL. -->
45     <!-- Fill in metadataURL and backingFile attributes with deployment specific information -->
46     <!--
47     <MetadataProvider id="URLMD" xsi:type="FileBackedHTTPMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"
48                       metadataURL="http://example.org/my/metadata/file.xml" backingFile="$IDP_HOME$/temp/metadata/somefile.xml" />
49     -->
50                   
51     <!-- MetadataProvider reading metadata from the filesystem -->
52     <!-- Fill in metadataFile attribute with deployment specific information -->
53     <!--
54     <MetadataProvider id="FSMD" xsi:type="FilesystemMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"
55                       metadataFile="$IDP_HOME$/metadata/somefile.xml" />
56     -->
57     
58     <!-- MetadataProvider defining metadata inline -->
59     <!--
60     <MetadataProvider id="InlineMD" xsi:type="InlineMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata">
61         <EntitiesDescriptor Name="urn:example.org:myFederation" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
62             <EntityDescriptor entityID="urn:example.org:myFederation:idp1">
63                 <IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
64                     <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://example.org/myIdP" />
65                 </IDPSSODescriptor>
66             </EntityDescriptor>
67             <EntityDescriptor entityID="urn:example.org:myFederation:sp1">
68                 <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
69                     <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://example.org/mySP" index="0" />
70                     <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://example.org/mySP" index="0" />
71                 </SPSSODescriptor>
72             </EntityDescriptor>
73         </EntitiesDescriptor>
74     </MetadataProvider>
75     -->
76     
77     <!-- MetadataProvider the combining other MetadataProviders -->
78     <!--
79     <MetadataProvider id="ExampleMD" xsi:type="ChainingMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata">
80         <MetadataProvider id="URLMD" xsi:type="FileBackedHTTPMetadataProvider"
81                       metadataURL="http://example.org/my/metadata" backingFile="/path/to/temp/location" />
82         <MetadataProvider id="FSMD" xsi:type="FilesystemMetadataProvider" metadataFile="/path/to/metadata/file.xml" />
83     </MetadataProvider>
84     -->
85     
86     <!-- ========================================== -->
87     <!--     Security Configurations                -->
88     <!-- ========================================== -->
89         <!-- Example Credential definition where credential material is inline. -->
90     <!--
91     <security:Credential id="ExampleOrgCred" xsi:type="security:X509Inline">
92         <security:PrivateKey password="changeit">
93 -----BEGIN RSA PRIVATE KEY-----
94 Proc-Type: 4,ENCRYPTED
95 DEK-Info: DES-CBC,720B6CC5F7F6F342
96
97 bOUiEz+T4aLlRJrumwiVgxczTXRWvFO2yCX74YQwN8aq2fPYLF86X08+6xP8RkNQ
98 /BV3TBt0VUjli+/TJkNfKUhiVtr7ZWg5Y6oeI1yjV72DVdFsr4+Q+q7+54LOFRr/
99 pxlDWKmkTEr+7yfqCUPjWcTyriS7fvEXLtevFi+sPejRkAoO8Wiys4hLxOCG69HG
100 GtTL5j9YO3Z2UBXcN1yf0RPXDjd4Rd+46u621W+FKWkvyhPqkHnP0ZFdiAVePWwO
101 K3bICDKJI7nQwxKkaMJOFyp5fuDCRmiroI6yghVH91jFgIp8XxGCx8OsnVbo0SkA
102 k0zdlKAfhWg6lEyKmBGYD4A4J86BFPJ7olL7SuuroVWyRx79Fu8pjomvQr/zp2KG
103 B8OOuBAYv7IVovQo5AzmWhkQhxHlvyfiXWjeghQeCSCDX938F78jfwqAXTxU2c3D
104 kqUG8VQZiHXTlGCiXdLIcwT3JTNPvOBUA7UQMAEJMuc3aiCka7frSNcE8xPKUloe
105 L9gZetFzPQJNVPNg4L8Giw0Hn0L5qoDeu6C/RG9sMNPlXp69LLTKAM0kNw5hRksJ
106 smmbfJUyyhiwTbGkmyc2AyJCMGhzczvyxsKDMhhey2Px87Zm+SL2vBOdg1/X/lLm
107 hlWLjqZQm3A22+mSn+sFpv74b/i1TDLD3VJ+/DK5KcGT+CdkMP7yWX+xzGOqonqS
108 JRKBfbL9ucbyQROkhQByt6ERgB+IR+XwbM9VmkWSHhDh7fQJD29NjvPGYX4PwPp1
109 OI2fqQKXBfIhB4J6eePgb2ZDanPdlYSOS2Ck6jvfm6eG7cGNghI+0Q==
110 -----END RSA PRIVATE KEY-----
111         </security:PrivateKey>
112
113         <security:Certificate>
114 -----BEGIN CERTIFICATE-----
115 MIIDKzCCApSgAwIBAgIJANN2sHcfOFRbMA0GCSqGSIb3DQEBBQUAMG0xCzAJBgNV
116 BAYTAlVTMR0wGwYDVQQIExREaXN0cmljdCBvZiBDb2x1bWJpYTETMBEGA1UEBxMK
117 V2FzaGluZ3RvbjEQMA4GA1UEChMHRXhhbXBsZTEYMBYGA1UEAxMPaWRwLmV4YW1w
118 bGUub3JnMB4XDTA3MDkwODE1MzEzNVoXDTA4MDkwNzE1MzEzNVowbTELMAkGA1UE
119 BhMCVVMxHTAbBgNVBAgTFERpc3RyaWN0IG9mIENvbHVtYmlhMRMwEQYDVQQHEwpX
120 YXNoaW5ndG9uMRAwDgYDVQQKEwdFeGFtcGxlMRgwFgYDVQQDEw9pZHAuZXhhbXBs
121 ZS5vcmcwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANGe69dmKja1MmlVrib0
122 JQirUEj9EGTKy/qp4OQK93tGKmCoUmqG/RH/Cha0QzpRdgHEVpR6kqCuVU6JxfRV
123 5pcQnjyvajrGu2mDRmIn54COZd0lRh1hiotG1QT2+cgh7grOfF5/hO3gxKELuEOY
124 iTorXGSl2k8CCbaymADNUeiTAgMBAAGjgdIwgc8wHQYDVR0OBBYEFIrgEh6KyTds
125 9xKsIVWr2r2H5eqpMIGfBgNVHSMEgZcwgZSAFIrgEh6KyTds9xKsIVWr2r2H5eqp
126 oXGkbzBtMQswCQYDVQQGEwJVUzEdMBsGA1UECBMURGlzdHJpY3Qgb2YgQ29sdW1i
127 aWExEzARBgNVBAcTCldhc2hpbmd0b24xEDAOBgNVBAoTB0V4YW1wbGUxGDAWBgNV
128 BAMTD2lkcC5leGFtcGxlLm9yZ4IJANN2sHcfOFRbMAwGA1UdEwQFMAMBAf8wDQYJ
129 KoZIhvcNAQEFBQADgYEAIiBVhDmDnhPdZ3IWTIVUFChunjA4B+OdR+d5kOPf7EE/
130 uLZYahMs/RHvtYH5guRBzCYL5w73H7nq0F2A0U/gRoEZZXzVjgehR8QEAxELy1eE
131 7J6sFFG/tae4stZOFd2cPoVf15MjV/HVPfFmFemRfhu6F5dPC1CMc6bbNSn989A=
132 -----END CERTIFICATE-----
133         </security:Certificate>
134     </security:Credential>
135     -->
136     
137     <!-- Example Credential definition where credential material is read from the filesystem -->
138     <!--
139     <security:Credential id="ExampleOrgCred" xsi:type="security:X509Filesystem">
140         <security:PrivateKey password="changeit">/path/to/private.key</security:PrivateKey>
141         <security:Certificate>/path/to/entity.cert</security:Certificate>
142     </security:Credential>
143     -->
144     
145     <security:SecurityPolicy id="shibboleth.DefaultSecurityPolicy" xsi:type="security:SecurityPolicyType">
146         <security:Rule xsi:type="samlsec:Replay"/>
147         <security:Rule xsi:type="samlsec:IssueInstant"/>
148         <security:Rule xsi:type="samlsec:MandatoryIssuer"/>
149     </security:SecurityPolicy>
150     
151 </RelyingPartyGroup>